How to configure a WildFire Real-Time signature exception
Objective
Identify when a triggered wildfire-virus threat happened exclusively by WildFire Real-Time, and explore different threat exception options.
Environment
- Palo Alto Networks
- WildFire is configured for Real-Time Dynamic Updates.
Procedure
How to identify if a wildfire-virus threat detection happened because of WildFire Real-Time
- The entry in the Threat Logs is of type wildfire-virus
- When searching in Threat Vault for the UTID, the "Threat ID", and the "Current Release" under the Release column for "WildFire Signatures" will show as "n/a".
- If you search in the PAN-OS CLI, you will find the UTID entry in the WildFire Real-Time MP and DP cache. Example:
MP Cache
> show wildfire-realtime-cache virus-pattern-type ALL | match <UTID>
Example:
> show wildfire-realtime-cache virus-pattern-type ALL | match 42496182 UTID: 42496182, NPatterns: 1, PatternPos: 0, Disabled: No
DP Cache
> debug dataplane show ctd wf-cache virus-pattern-type ALL | match <UTID>
Example:
> debug dataplane show ctd wf-cache virus-pattern-type ALL | match 42496182 UTID: 42496182, NPatterns: 1, PatternPos: 0, Disabled: No
How to add a threat exception for WildFire Real-Time signatures
To add a threat exception, simply add the UTID to the Exceptions section in the AntiVirus profile and Commit. See the Create Threat Exceptions documentation for instructions.
If a Commit cannot be pushed due to restrictions, the signature can be temporarily excepted on the fly via the PAN-OS CLI. Please note that this exception is not persistent through a reboot and is therefore only meant to be a stop-gap solution.
Add temporary exception:
- First search for the entry using the commands described in Step 3
- Then "delete" the entry from the cache, effectively placing the temporary exception. To do it, issue command:
> request wildfire-realtime-cache delete virus-pattern-type PE UTID <UTID> virus-pattern <PATTERN>
Example:
> request wildfire-realtime-cache delete virus-pattern-type PE UTID 42496182 virus-pattern 0001000d0000000000000000000200021404004c00000006 Successfully deleted virus from WildFire real-time cache
- To verify that the temporary exception is active, use the commands described in Step 3. The signature will be listed as "Disabled: Yes". Example:
MP Cache
> show wildfire-realtime-cache virus-pattern-type ALL | match <UTID>
Example:
> show wildfire-realtime-cache virus-pattern-type ALL | match 42496182 UTID: 42496182, NPatterns: 1, PatternPos: 0, Disabled: Yes
DP Cache
> debug dataplane show ctd wf-cache virus-pattern-type ALL | match <UTID>
Example:
> debug dataplane show ctd wf-cache virus-pattern-type ALL | match 42496182 UTID: 42496182, NPatterns: 1, PatternPos: 0, Disabled: Yes
- To re "add" the signature, or otherwise "remove" the temporary exception, issue command:
> request wildfire-realtime-cache add virus-pattern-type PE UTID <UTID> virus-pattern <PATTERN>
Example:
> request wildfire-realtime-cache add virus-pattern-type PE UTID 42496182 virus-pattern 0001000d0000000000000000000200021404004c00000006 Successfully added virus to WildFire real-time cache
Additional Information
There is an issue where disabled WildFire signatures may remain stuck in the WildFire DP cache. Ref. PAN-182689
The issue happens for firewalls running PAN-OS versions older than 10.1.10 or 10.2.3 where the WildFire Real-Time feature is not enabled in the WildFire-Virus Dynamic Update package configuration.
To resolve the issue, enable WildFire-Virus Dynamic Update schedule to Real-Time or upgrade to PAN-OS versions to 10.2.3, 10.1.10 or newer.
Another workaround is to eliminate all entries from the WildFire DP Cache. We can specify the virus-pattern-type (PE if the signature is of type PE) or ALL to reset the whole WildFire DP Cache.
> debug dataplane reset ctd wf-cache virus-pattern-type PE or > debug dataplane reset ctd wf-cache virus-pattern-type ALL
Note this will remove entries from the WildFire DP Cache in bulk.There is no command available to specify the deletion of a single UTID from the WildFire DP Cache.
For more information on this issue please see:
Why are disabled signatures (WildFire-Virus) getting triggered in PAN-OS 10.0 and above?